Saturday, August 20, 2011

"In response to work by Stanford University researchers who found that Microsoft and several other high-profile companies were using a controversial technique to keep persistent cookies on users' PCs to track their movements, Microsoft says it has discontinued the practice of using so-called 'supercookies.'In July, Jonathan Mayer, a graduate student at Stanford, revealed that some companies were still employing techniques that enabled browser history sniffing, which give the companies information on what sites users have visited and what links they've clicked on. The research also found that some companies were using cookies that re-spawn even after users have deleted them. Microsoft was using this technique on one of its sites, MSN.com, and now the company said that it is no longer doing so."

Interesting. How am I to understand a law that different states interpret differently?

The state of Schleswig-Holstein has ordered all government offices to remove the button from their Web presence and shut down any Facebook "fan" pages, on the grounds that these things violate German and European data privacy laws. A releasefrom the Independent Centre for Privacy Protection in the German state claims that information collected from German users' "liking" and other activities is sent back to the United States where Facebook uses it to create a profile, all of which runs afoul of Germany's uberstrict privacy laws.

Sites that don't comply with the take-down order could face a 50,000 Euro fine.

The agency goes on to urge German residents to go a step further and give Facebook one big existential thumbs down. It warns to resist the temptation to click on social plug-ins or to even start a Facebook account, all to "avoid a comprehensive profiling by the company."

(Related) It's not that big a deal in the US... (According to Facebook)

"A number of car makers are looking at whether EEG devices built into headrestscould prevent accidents by sensing when a driver is in danger of drifting off. The technology comes from Neurosky, which already makes commercial EEG units for use in gaming and market research. Other approaches, such as using cameras to spot drooping eyelids, have proven too unreliable so far. From the story: 'Fatigue causes more than 100,000 crashes and 40,000 injuries, and around 1,550 deaths, per year in the United States, according to the National Highway Traffic Safety Administration. Some studies suggest drowsiness is involved in 20 to 25 percent of all crashes on monotonous stretches of road.'"

"Google search anthropologist Dan Russell says that 90 percent of people in his studies don't know how to use CTRL/Command + F to find a word in a document or web page. 'I do these field studies and I can't tell you how many hours I've sat in somebody's house as they've read through a long document trying to find the result they're looking for,' says Russell, who has studied thousands of people on how they search for stuff. 'At the end I'll say to them, "Let me show one little trick here," and very often people will say, "I can't believe I've been wasting my life!"' Just like we learn to skim tables of content or look through an index or just skim chapter titles to find what we're looking for, we need to teach people about this CTRL+F thing, says Alexis Madrigal. 'I probably use that trick 20 times per day and yet the vast majority of people don't use it at all,' writes Madrigal. 'We're talking about the future of almost all knowledge acquisition and yet schools don't spend nearly as much time on this skillas they do on other equally important areas.'"

Wow. The day after HP announces they’re discontinuing all their webOS devices, and they’ve already issued a liquidation order. Best Buy, Future Shop, The Source, London Drugs, and Staples will be selling the 16GB TouchPad for $100, and the 32GB version for $150 starting tomorrow. Well, in Canada at least.

Friday, August 19, 2011

Unlikely that Vanguard was specifically targeted. Most likely (those who hope they will remain) Anonymous found a simple vulnerability (perhaps an unencrypted home wifi link?) and can now pretend to have defeated the company's security.

"Social media isn't just great for starting 'social unrest,'it's proving to be quite helpful for quashing it too. Not long after the bricks began to fly in London's latest kerfuffle, locals angry over raging mobs scrambled to assist the police in their attempt to identify street-fighters and free-for-all hooligans … Now with more than 1,000 people charged over the chaos, a few citizen groups continue to provide web-based rioter identificationplatforms, in hopes of being good subjects, maintaining the country's pursuit of order, and keeping their neighborhoods safe."

“These additions are just carrying on the tradition of a dictionary that has always sought to be progressive and up to date,” Angus Stevenson, editor of the latest edition, wrote in a blog post discussing the 400 new entries to the reference guide.

The Concise Oxford English Dictionary (not to be confused with the larger Oxford English Dictionary, which added LOL, OMG and ♥) also refined some definitions of existing words to place them in a modern context. For example, follower now means“someone who is tracking a particular person, group, etc. on a social networking site.”

Update: As it turns out, a single French girl is claiming responsibility for today’s hack. And it was easy, this being her first hack ever. Going by the AIM handle “Lamaline_5mg,” she told SFWeekly that BART had zero security in place to stop her. All she had to do was write a script and break through a single gaping hole in their site.

“Henceforth our WiFi links will be named: 'This is not an FBI Surveillance Van, move along!'”

"The suspect who is accused of planning to bomb his high school in Tampa updated his Facebook status with the following: 'The weirdest thing happened today...when my homie Nic Peezy was trying to connect to a wireless network the connections list came up and one of them was called: FBI_SURVEILLANCE_VAN,' The FBI might want to revisit their wireless network naming conventions."

Is there something I'm not aware of that makes this market less desirable? If the big players are ducking out, who owns the market?

Another one bites the dust. At the end of June, the names Google PowerMeter and Microsoft Hohm were chiseled on the grave marker of casualtiesin the race to build smart grid-linked software and gizmos. To this list of famous fallen, Cisco Systemsadds its name, with an announcement yesterday that it will exit building management software services while also retreating from the home energy management market.

Federal Computer Week "Although Google+ has attracted more than 10 million users since its recent debut, many people in government are wondering what it is and how it ought to be used. Thanks to the Navy, now there is an overview of the new site. The Navy recently published a 13-page online guide titled What’s the deal with Google+? on the SlideShare website, providing a basic introduction to the new social networking site and how it could be used by individuals. The Navy’s presentation had been viewed by 606 people as of Aug. 16."

"The Department of Veterans Affairs (VA) endorses the secure useof Web-based collaboration and social media tools to enhance communication, stakeholder outreach collaboration, and information exchange; streamline processes; and foster productivity improvements. Use of these tools supports VA and VA’s goal of achieving an interoperable, net-centric environment by improving employee effectiveness through seamless access to information. Web-based collaboration tools enable widely dispersed facilities and VA personnel to more effectively collaborate and share information—which can result in better productivity, higher efficiency, and foster innovation. This Directive establishes policy on the proper use of these tools, consistent with applicable laws, regulations, and policies."

To date, Gallatin police have received 203 fraud reports related to the outbreak, with the majority of charges showing up on bank and credit card statements as purchases between $80-$100 at locations in various Florida cities.

Investigators discovered the source of the outbreak, which police initially pinpointed to a location around the 1400 block of Nashville Pike, but the business has not been identified because it is also considered a victim of the scam.

The information was not stolen through a skimming device on a card-swipe machine as Gallatin police originally believed, Mays said.

In terms of size, Mays described the Gallatin outbreak as a “small-scale, localized event that resulted from a computer that was not adequately protected.”

The business “is aware of it, has taken mitigating measures and it’s safe to use your card,” he said. “I don’t think there’s any reason to be unduly alarmed or afraid.”

However, although there isn’t a threat that card information is currently being stolen, consumers who made purchases at the unidentified business in the past may still see fraudulent charges show up on their statements.

“If I go into a computer somewhere as a hacker and I steal 1,000 credit card numbers, that doesn’t mean all 1,000 of those numbers will be used tomorrow,” Mays said.

“A hacker will sell them off bit by bit or in large groups to people who will use them, and that might take place tomorrow or it might take place several months from now.”

Investigators said it is likely some consumers made a purchase at the business many months ago and only recently saw illicit charges on their accounts. For this reason, police have encouraged credit and debit card users to monitor their monthly statements carefully and report any suspicious activity to their card companies.

Why the hell not alert people, “Hey, if you did business at _______ during ____ to ____, be sure to check your statements or contact your bank and cancel your card?” The way they’re handling this, consumers are not being given information I think they should be given.

"Using a secret vSphere console, Jason Cornish, formerly an IT staffer at the U.S. subsidiary of drug-maker Shionogi, wiped out most of the company's computer infrastructureearlier this year. Cornish, 37, pleaded guilty Tuesday to computer intrusion charges in connection with the attack."

[From the article:

He wiped out 15 VMware host systems that were running e-mail, order tracking, financial and other services for the Florham Park, New Jersey, company.

"The Feb. 3 attack effectively froze Shionogi's operations for a number of days, leaving company employees unable to ship product, to cut checks, or even to communicate via e-mail," the U.S. Department of Justice said in court filings. Total cost to Shionogi: $800,000.

Cornish had resigned from the company in July 2010 after getting into a dispute with management, but he had been kept on as a consultant for two more months.

Then, in September 2010, the drug-maker laid off Cornish and other employees, but it did a bad job of revoking passwords to the network. [ya think? Bob] One employee, who was Cornish's friend and former boss, allegedly refused to hand over network passwords to company officials and eventually was fired because of this.

If I read this correctly, AT&T didn't bother to check on these guys before opening their database to them. Surely they noticed “hundreds of millions” of spoofed calls – couldn't they stop them?

AT&T claims two Utah men defrauded it by breaking into its caller-ID system with auto-dialers to steal valuable customer data through “hundreds of millions of ‘spoofed’ telephone calls.” They probably used the stolen information for telemarketing, AT&T says.

In a federal complaint in Dallas, AT&T and its subsidiaries claim that Phil Iverson and Chris J. Gose masterminded the scam, acting, or claiming to act, on behalf of co-defendants CCI Communications, Feature Films for Families, and Blue Skye, among others.

AT&T claims the men used an auto-dialing program to repeatedly and deliberately place “spoofed” calls to landline and wireless customers.

"Since 2006, AT&T's internal network fraud detection organization has uncovered numerous instances of defendants' data mining schemes. In some cases, AT&T has terminated or disabled the services that defendants have used to accomplish their unlawful data mining; in other cases, defendants themselves have stopped using their AT&T services once the fraud has been detected.

… To run the scam, AT&T says, the men purchased some of its services, including caller ID, then made spoofed calls to cause AT&T's computerized switching system to generate an electronic caller ID inquiry to send information to the called party.

A privacy researcher has revealed the evil genius behind a for-profit web analytics service capable of following users across more than 500 sites, even when all cookie storage was disabled and sites were viewed using a browser’s privacy mode.

The technique, which worked with sites including Hulu, Spotify and GigaOm, is controversial because it allowed analytics startup KISSmetrics to construct detailed browsing histories even when users went through considerable trouble to prevent tracking of the websites they viewed. It had the ability to resurrect cookies that were deleted, and could also compile a user’s browsing history across two or more different browsers. It came to light only after academic researchers published a paperlate last month.

Revealed: Operation Shady RAT by Dmitri Alperovitch, Vice President, Threat Research, McAfee: "An investigation of targeted intrusions into more than 70 global companies, governments, and non-profit organizations during the last five years."

"...the targeted compromises we are focused on — known as advanced persistent threats (APTs) — are much more insidious and occur largely without public disclosures. They present a far greater threat to companies and governments, as the adversary is tenaciously persistent in achieving their objectives. The key to these intrusions is that the adversary is motivated by a massive hunger for secrets and intellectual property; this is different from the immediate financial gratification that drives much of cybercrime, another serious but more manageable threat. What we have witnessed over the past five to six years has been nothing short of a historically unprecedented transfer of wealth — closely guarded national secrets (including those from classified government networks), source code, bug databases, email archives, negotiation plans and exploration details for new oil and gas field auctions, document stores, legal contracts, supervisory control and data acquisition (SCADA) configurations, design schematics, and much more has “fallen off the truck” of numerous, mostly Western companies and disappeared in the ever-growing electronic archives of dogged adversaries."

AntiSec is targeting defense contractors again. Continuing their beef with law enforcement, and organizations that offer them support, they have targeted Richard Garcia, the Senior Vice President of Vanguard Defense Industries (VDI). AntiSec plans to release nearly 4,713 emails and thousands of documents taken during the breach.

VDI is the Texas-based firm responsible for ShadowHawk, an unmanned helicopter that can be tasked with aerial surveillance or equipped for military usage.

These cases raise lots of interesting questions. If a reporter had filmed this incident, would there be any question of legitimacy/legality? How about a tape from a surveillance camera?

"A police officer who was disciplined for his role in the beating of a Massachusetts man (many broken bones in his face and permanent partial blindness) is looking to bring criminal wiretapping chargesagainst the woman who caught much of the incident on video. The officer received a 45-day suspension for the beating. He does not appear to deny anything that happened in the video, but he apparently thinks it shouldn't have been filmed."

This is a rather simple device, but they must have other evidence of the content of a secure signal, right?

more confidently enter the suspect's location, if they determine a wireless network is secured, knowing that illegal Internet content is being downloaded from within that residence;

… You know, secured wireless networks can be cracked. Since Fluke said police can rest-assured that a suspect downloading illegal content on a secured network is the offender, I'm curious to see what happens when an innocent person wrongfully gets busted.

"When copyright law was revised in the mid-1970s, musicians, like creators of other works of art, were granted 'termination rights,' which allow them to regain control of their work after 35 years, so long as they apply at least two years in advance. Recordings from 1978 are the first to fall under the purview of the law, but in a matter of months, hits from 1979, like 'The Long Run' by the Eagles and 'Bad Girls' by Donna Summer, will be in the same situation. ... ' We believe the termination right doesn’t apply to most sound recordings,' said Steven Marks, general counsel for the Recording Industry Association of America, a lobbying group in Washington that represents the interests of record labels. As the record companies see it, the master recordings belong to them in perpetuity, rather than to the artists who wrote and recorded the songs, because, the labels argue, the records are 'works for hire,' compilations created not by independent performers but by musicians who are, in essence, their employees."

"Standard & Poor's downgrading of the U.S. government’s credit rating does not have any impact on individual states ratings, meaning those states that have the highest AAA rating won't have to face an automatic downgrade. There are 13 states that have the coveted Triple A credit rating by S&P, and many other states that have the same AA+ credit rating as the U.S., but with a "stable" outlook rather than the "negative" outlook of the U.S. That’s because bond issuers that have little dependence on the federal government, or that are likely to manage federal budget cuts without hurting their credit, should be able to hold on to their top ratings, an S&P analyst wrote." [via the Business Journals]

This database includes all 50 U.S. states and their ratings by S&P. [Online Database by Caspio]

InfiniteGraph Steps Out Of Beta To Help Companies Identify Deep Relationships In Large Data Sets

Last year, Eric Schmidt, the former CEO of Google, told a crowd gathered at the Techonomy Conferencein Lake Tahoe, CA that we now create as much information in two days as we did from the dawn of civilization through 2003. While Roger J. Moore would disagreeand amend that estimation slightly, the fact of the matter is that today we’re seeing a ridiculous (and exponential) telescoping in data production and consumption — which will only continue to increase.

Thus, in today’s world, data is becoming a valuable commodity. Many companies strive to collect as much data about their customer’s habits and interactions as possible to better serve them with ads, recommendations, discovery tools, and personalized product or service experiences (and so on). But, the fact of the matter is, big data management and analysis is still clunky and without being able to understand what that big data means — without being able to identify the important relationships, connections, and patterns within the data — it’s just a big pile of numbers and symbols.

… In theory, there have been more than 1,100 sites hacked. The current leader with a #1 ranking attacked the Huffington Post. Other sites range from Mashable, Mapquest, Monster, Flickr, Linkedin and many more. While XXS (cross-site scripting) attacks are worth fewer points, ['cause anyone can do it... Bob] there are bonus points called "bounty" awarded for hacking government, military, educational or racist websites. Bountiesoffer "additional ranking point reward" and Ku Klux Klan sites are included on that reward list. Allegedly MIT, Princeton, Harvard, Cornell, Georgetown, and Stanford have all been hacked and that's but naming a few.

If this site is for real, a potential attacker can input a website URL to see how many ranking points it would be worth. In the name of testing purposes, a person might be curious enough to test a couple in order to list examples: "nytimes.com is worth 1704545 Ranking Points. XSS attacks against nytimes.com are worth 17045 points." And "wired.com is worth 237341 Ranking Points. XSS attacks against wired.com are worth 2373 points." This is not an endorsement or a suggestion to hack anyone. [Sure... Bob]

Links

About Me

I live in Centennial Colorado. (I'm not actually 100 years old., but I hope to be some day.) I'm an independant computer consultant, specializing in solving problems that traditional IT personnel tend to have difficulty with... That includes everything from inventorying hardware & software, to converting systems & data, to training end-users. I particularly enjoy taking on projects that IT has attempted several times before with no success. I also teach at two local Universities: everything from Introduction to Microcomputers through Business Continuity and Security Management. My background includes IT Audit, Computer Security, and a variety of unique IT projects.